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Abstract 


This document is one in the series of documents that define various 
MIB objects for IPv6. Specifically, this document is the MIB module 
which defines managed objects for implementations of the Transmission 
Control Protocol (TCP) over IP Version 6 (IPv6). 


This document also recommends a specific policy with respect to the 

applicability of RFC 2012 for implementations of IPv6. Namely, that 
most of managed objects defined in RFC 2012 are independent of which 
IP versions underlie TCP, and only the TCP connection information is 
IP version-specific. 


This memo defines an experimental portion of the Management 
Information Base (MIB) for use with network management protocols in 
IPv6-based internets. 


1. Introduction 


A management system contains: several (potentially many) nodes, each 
with a processing entity, termed an agent, which has access to 
management instrumentation; at least one management station; and, a 
management protocol, used to convey management information between 
the agents and management stations. Operations of the protocol are 
carried out under an administrative framework which defines 
authentication, authorization, access control, and privacy policies. 
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Management stations execute management applications which monitor and 
control managed elements. Managed elements are devices such as 
hosts, routers, terminal servers, etc., which are monitored and 
controlled via access to their management information. 


Management information is viewed as a collection of managed objects, 
residing in a virtual information store, termed the Management 
Information Base (MIB). Collections of related objects are defined 
in MIB modules. These modules are written using a subset of OSI’s 
Abstract Syntax Notation One (ASN.1) [1], termed the Structure of 
Management Information (SMI) [2]. 


2. Overview 


This document is one in the series of documents that define various 


MIB objects, and statements of conformance, for IPv6. This document 
defines the required instrumentation for implementations of TCP over 
IPv6. 

3. Transparency of IP versions to TCP 


The fact that a particular TCP connection uses IPv6 as opposed to 
IPv4, is largely invisible to a TCP implementation. A "TCPng" did 
not need to be defined, implementations simply need to support IPv6 
addresses. 


As such, the managed objects already defined in [TCP MIB] are 
sufficient for managing TCP in the presence of IPv6. These objects 
are equally applicable whether the managed node supports IPv4 only, 
IPv6 only, or both IPv4 and IPv6. 


For example, tcpActiveOpens counts "The number of times TCP 
connections have made a direct transition to the SYN-SENT state from 
the CLOSED state", regardless of which version of IP is used between 
the connection endpoints. 


Stated differently, TCP implementations don’t need separate counters 
for IPv4 and for IPv6. 


4. Representing TCP Connections 
The exception to the statements in section 3 is the tcpConnTable. 
Since IPv6 addresses cannot be represented with the IpAddress syntax, 


not all TCP connections can be represented in the tcpConnTable 
defined in [TCP MIB]. 
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This memo defines a new, separate table to represent only those TCP 
connections between IPv6 endpoints. TCP connections between IPv4 
endpoints continue to be represented in tcpConnTable [TCP MIB]. (It 
is not possible to establish a TCP connection between an IPv4 
endpoint and an IPv6 endpoint.) 


A different approach would have been to define a new table to 
represent all TCP connections regardless of IP version. This would 
require changes to [TCP MIB] and hence to existing (IPv4-only) TCP 
implementations. The approach suggested in this memo has the 
advantage of leaving IPv4-only implementations intact. 


It is assumed that the objects defined in this memo will eventually 
be defined in an update to [TCP MIB]. For this reason, the module 
identity is assigned under the experimental portion of the MIB. 


5. Conformance 


This memo contains conformance statements to define conformance to 
this MIB for TCP over IPv6é implementations. 


6. Definitions 


IPV6-TCP-MIB DEFINITIONS ::= BEGIN 

IMPORTS 
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 
MODULE-IDENTITY, OBJECT-TYPE, 
mib-2, experimental FROM SNMPv2-SMI 
Ipv6Address, Ipv6IfIndexOrZero FROM IPV6-TC; 


ipvé6éTcpMIB MODULE-IDENTITY 
LAST-UPDATED "98012900002" 
ORGANIZATION "IETF IPv6 MIB Working Group" 
CONTACT-INFO 


Mike Daniele 


Postal: Compaq Computer Corporation 
110 Spitbrook Rd 
Nashua, NH 03062. 
US 


Phone: +1 603 884 1423 
Email: daniele@zk3.dec.com" 
DESCRIPTION 
"The MIB module for entities implementing TCP over IPv6." 
::= { experimental 86 } 
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-—- objects specific to TCP for IPv6 


tcp OBJECT IDENTIFIER ::= { mib-2 6 } 


-- the TCP over IPv6 Connection table 


-—- This connection table contains information about this 

—- entity’s existing TCP connections between IPv6 endpoints. 
-—- Only connections between IPv6 addresses are contained in 
-—- this table. This entity’s connections between IPv4 

-—- endpoints are contained in tcpConnTable. 


ipvéTcpConnTable OBJECT-TYPE 


SYNTAX SEQUENCE OF Ipv6TcpConnEntry 
MAX-ACCESS not-accessible 

STATUS current 

DESCRIPTION 


"A table containing TCP connection-specific information, 


1998 


for only those connections whose endpoints are IPv6é addresses." 


r=. { tep 16} 


ipv6TcpConnEntry OBJECT-TYPE 

SYNTAX Ipv6TcpConnEntry 

MAX-ACCESS not-accessible 

STATUS current 

DESCRIPTION 
"A conceptual row of the ipv6TcpConnTable containing 
information about a particular current TCP connection. 
Each row of this table is transient, in that it ceases to 


exist when (or soon after) the connection makes the transition 


to the CLOSED state. 


Note that conceptual rows in this table require an additional 


index object compared to tcpConnTable, since IPv6 addresses 
are not guaranteed to be unique on the managed node." 
INDEX { ipv6TcpConnLocalAddress, 
ipv6TcpConnLocalPort, 
ipv6TcpConnRemAddress, 
ipv6TcpConnRemPort, 
ipv6TcpConnIfIndex } 
::= { ipv6TcpConnTable 1 } 


Ipv6TcpConnEntry ::= 
SEQUENCE { ipv6TcpConnLocalAddress Ipv6Address, 
ipv6TcpConnLocalPort INTEGER (0..65535), 
ipv6TcpConnRemAddress Ipv6Address, 
ipvéTcpConnRemPort INTEGER (0..65535), 
ipvéTcpConnIfIndex Ipv6IfIndexOrZero, 
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ipvéTcpConnState INTEGER } 


ipvéTcpConnLocalAddress OBJECT-TYPE 

SYNTAX Ipv6éAddress 

MAX-ACCESS not-accessible 

STATUS current 

DESCRIPTION 
"The local IPv6 address for this TCP connection. In 
the case of a connection in the listen state which 
is willing to accept connections for any IPv6 
address associated with the managed node, the value 
::0 is used." 

::= { ipv6TcpConnEntry 1 } 


ipvéTcpConnLocalPort OBJECT-TYPE 


SYNTAX INTEGER (0..65535) 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 


"The local port number for this TCP connection." 
::= { ipv6TcpConnEntry 2 } 


ipvéTcpConnRemAddress OBJECT-TYPE 
SYNTAX Ipv6éAddress 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 
"The remote IPv6 address for this TCP connection." 
:= { ipv6TcpConnEntry 3 } 


ipvéTcpConnRemPort OBJECT-TYPE 


SYNTAX INTEGER (0..65535) 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 


"The remote port number for this TCP connection." 
:= { ipv6TcpConnEntry 4 } 


ipvéTcpConniIfIndex OBJECT-TYPE 
SYNTAX Ipv6IfIndexOrZero 
MAX-ACCESS not-accessible 
STATUS current 
DESCRIPTION 
"An index object used to disambiguate conceptual rows in 
the table, since the connection 4-tuple may not be unique. 


If the connection’s remote address (ipv6éTcpConnRemAddress) 
is a link-local address and the connection’s local address 
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(ipv6éTcpConnLocalAddress) is not a link-local address, this 
object identifies a local interface on the same link as 
the connection’s remote link-local address. 


Otherwise, this object identifies the local interface that 

is associated with the ipvéTcpConnLocalAddress for this 

TCP connection. If such a local interface cannot be determined, 
this object should take on the value 0. (A possible example 

of this would be if the value of ipv6TcpConnLocalAddress is ::0.) 


The interface identified by a particular non-0 value of this 
index is the same interface as identified by the same value 
of ipv6IfIndex. 


The value of this object must remain constant during the life 
of the TCP connection." 
::= { ipvéTcpConnEntry 5 } 


ipvéTcpConnState OBJECT-TYPE 

SYNTAX INTEGER { 
closed(1), 
listen(2), 
synSent (3), 
synReceived (4), 
established(5), 
finWait1 (6), 
finWait2 (7), 
closeWait (8), 
lastAck (9), 
closing(10), 
timeWait (11), 
deleteTCB(12) } 

MAX-ACCESS read-write 

STATUS current 

DESCRIPTION 
"The state of this TCP connection. 


The only value which may be set by a management station is 
deleteTCB(12). Accordingly, it is appropriate for an agent 

to return an error response (‘badValue’ for SNMPvl, ’wrongValue’ 
for SNMPv2) if a management station attempts to set this 

object to any other value. 


If a management station sets this object to the value 
deleteTCB(12), then this has the effect of deleting the TCB 
(as defined in RFC 793) of the corresponding connection on 
the managed node, resulting in immediate termination of the 
connection. 
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As an implementation-specific option, a RST segment may be 
sent from the managed node to the other TCP endpoint (note 
however that RST segments are not sent reliably) ." 

::= { ipv6TcpConnEntry 6 } 


-- conformance information 


ipvé6éTcpConformance OBJECT IDENTIFIER ::= { ipv6TcpMIB 2 } 
ipvéTcpCompliances OBJECT IDENTIFIER ::= { ipvéTcpConformance 1 } 
ipvéTcpGroups OBJECT IDENTIFIER ::= { ipvéTcpConformance 2 } 


-—- compliance statements 


ipvéTcpCompliance MODULE-COMPLIANCE 

STATUS current 

DESCRIPTION 
"The compliance statement for SNMPv2 entities which 
implement TCP over IPv6." 

MODULE -- this module 

MANDATORY-GROUPS { ipv6TcpGroup } 

::= { ipvéTcpCompliances 1 } 


ipvéTcpGroup OBJECT-GROUP 
OBJECTS { -- these are defined in this module 
-- ipvéTcpConnLocalAddress (not-accessible) 
-- ipvéTcpConnLocalPort (not-accessible) 
—- ipvé6éTcpConnRemAddress (not-accessible) 
-- ipvéTcpConnRemPort (not-accessible) 
-- ipvéTcpConnIfIndex (not-accessible) 
ipvéTcpConnState } 
STATUS current 
DESCRIPTION 
"The group of objects providing management of 
TCP over IPv6é." 
::= { ipvéTcpGroups 1 } 


END 
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Security Considerations 


This MIB contains a management object that has a MAX-ACCESS clause of 
read-write and/or read-create. In particular, it is possible to 
delete individual TCP control blocks (i.e., connections). 
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Consequently, anyone having the ability to issue a SET on this object 
can impact the operation of the node. 


There are a number of managed objects in this MIB that may be 
considered to contain sensitive information in some environments. 
For example, the MIB identifies the active TCP connections on the 
node. Although this information might be considered sensitive in 
some environments (i.e., to identify ports on which to launch 
denial-of-service or other attacks), there are already other ways of 
obtaining similar information. For example, sending a random TCP 
packet to an unused port prompts the generation of a TCP reset 
message. 


Therefore, it may be important in some environments to control read 
and/or write access to these objects and possibly to even encrypt the 
values of these object when sending them over the network via SNMP. 
Not all versions of SNMP provide features for such a secure 
environment. SNMPvl by itself does not provide encryption or strong 
authentication. 


It is recommended that the implementors consider the security 
features as provided by the SNMPv3 framework. Specifically, the use 
of the User-based Security Model [RFC2274] and the View-based Access 
Control Model [RFC2275] is recommended. 


It is then a customer/user responsibility to ensure that the SNMP 
entity giving access to an instance of this MIB, is properly 
configured to give access to those objects only to those principals 
(users) that have legitimate rights to access them. 
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Full Copyright Statement 
Copyright (C) The Internet Society (1998). All Rights Reserved. 


This document and translations of it may be copied and furnished to 
others, and derivative works that comment on or otherwise explain it 
or assist in its implementation may be prepared, copied, published 
and distributed, in whole or in part, without restriction of any 
kind, provided that the above copyright notice and this paragraph are 
included on all such copies and derivative works. However, this 
document itself may not be modified in any way, such as by removing 
the copyright notice or references to the Internet Society or other 
Internet organizations, except as needed for the purpose of 
developing Internet standards in which case the procedures for 
copyrights defined in the Internet Standards process must be 
followed, or as required to translate it into languages other than 
English. 


The limited permissions granted above are perpetual and will not be 
revoked by the Internet Society or its successors or assigns. 


This document and the information contained herein is provided on an 
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
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